Trend Micro: bandcampro ran a C2 botnet on Gemini CLI
Trend Micro logs 200+ Gemini CLI sessions from a Russian-speaking actor tracked as bandcampro: C2 migration, credential work, and daily botnet ops.
Trend Micro’s writeup, published July 15, 2026, characterizes over 200 sessions in which a Russian-speaking actor tracked as bandcampro drove Google’s open-source Gemini CLI as the operator layer on a small command-and-control botnet. The CLI took natural-language requests, generated the code and infrastructure changes the actor asked for, and stayed in the loop for the follow-up debugging. One primary source (Trend Micro), one secondary summary (BleepingComputer), no independent confirmation from Google as of publication.
What Gemini CLI actually is, in this context
Gemini CLI is a command-line coding assistant. It reads files, edits files, runs shell commands, and iterates against error output. It is not a browser plugin, not a chat pane. It runs on the host it is installed on and inherits the shell that started it.
That is the shape of the tool. It is also the shape of a persistent, natural-language remote shell — which is what bandcampro used it as.
The Trend Micro summary describes a five-kilobyte working set: three plain-text files consisting of a jailbreak prompt, a C2 playbook, and a migration guide. Everything else — the server code, the payload code, the deploy scripts, the Cloudflare tunnel configuration — was generated on demand from those three files. The migration of the C2 backend took six minutes from a single-line instruction to the CLI.
The observed operations
- Botnet management by conversational query: which machines are online, generate a new infection link. No dashboard, no custom tooling — the shell was the dashboard.
- Credential work. Password variants generated for a WordPress admin portal; a stolen 1Password dump handed to the CLI for triage.
- Compromise scope. Trend Micro places the operator’s reach at eight systems in a dental clinic, with access to the OpenDental database. The characterization suggests a small-time operator, not a nation-state.
- Session count. Roughly 200 sessions. The date-range phrasing in the secondary summary reads as a typo — the material fact is the count, not the interval.
- Safety, hit-and-miss. Gemini refused to build a self-spreading agent-worm in at least one instance. It did not refuse the rest of the workflow.
BleepingComputer characterized the actor’s own malware as “rather unsophisticated” with no obfuscation or packing. That reads as consistent with the Trend Micro picture: the sophistication lives in the model, not in the payloads. A tool that can write the payload on demand does not need the payload to be clever.
The physical-layer read
The novelty is not that an attacker used a language model. Attackers have been pasting shell into chat interfaces for two years. The novelty is that the language model was, in this case, the operator. bandcampro did not automate around the CLI; he ran the campaign through it.
That collapses a distinction that used to be load-bearing for defenders: is this an interactive session or an automated tool. On a host log, an agentic CLI writing a Cloudflare configuration and an operator typing at a shell look almost identical. Session length, command pacing, and human-timing heuristics all degrade. The tell — a five-kilobyte instruction bundle plus a Gemini CLI process — is not something baseline EDR was built to notice.
What the CLI is not
The CLI is not, by itself, a vulnerability. Google shipped a legitimate coding tool that does what it says on the tin. There is no advisory to link, no patch to schedule, no version string to sweep for. Gemini’s refusal on the agent-worm prompt shows the safety layer is present; it also shows the safety layer is not the same thing as a policy engine that reasons about what the tool is being used for across a whole session.
The comparable historical shape is a legitimate remote-admin utility being used as C2 — PsExec, RustDesk, ScreenConnect, AnyDesk. Those were built for administrators. Attackers took them because they were already trusted, already signed, and already covered by whatever allowlist an environment maintained. The current generation of agentic coding CLIs are on the same trajectory. Cursor, Claude Code, Gemini CLI, Aider — the class is the surface, not any one product.
What to do if you deploy or allow agentic CLIs
Standard host-hardening, not framework-specific.
- Assume that any host running an unattended agentic coding CLI is, functionally, a C2-capable host. Treat egress from those hosts the way you treat egress from your build agents.
- Log the CLI’s shell invocations and file writes to an off-host destination the CLI itself cannot modify. The playbook here fit in three text files; the next iteration will too, and the value of finding them is proportional to how far off the host they get written.
- Do not rely on network-layer heuristics that assume attacker traffic is machine-paced. A conversational operator produces conversational cadence.
Related
Same news window, adjacent story: Mindgard: Cursor still runs git.exe from repo root. Different tool, same class of surface — the agentic coding assistant treats the workspace it opens as an execution scope, and that scope has a very short walk to the rest of the host. For the developer-tooling supply-chain angle from the same week, Compromised AsyncAPI npm packages deliver multi-stage botnet loader.
Sourcing
- Trend Micro, Actor Behind Patriot Bait Used AI to Deploy C2 Botnet — primary research writeup, July 2026.
- BleepingComputer, Google Gemini CLI abused as a hacking agent, malware botnet operator — secondary summary, July 15, 2026.
- Google has not responded to a request for comment as of publication.
Found this useful? Share it.


